When attempting to use HTML in a help_text field on a service catalog variable, the content renders as escaped text. The HTML tags in variables 'help text' are only interpreted when the system property named glide.ui.escape_text is set to false.

Steps to Reproduce

  1. In the self-service portal, open the Something Broken record producer.
  2. Right-click the Open on behalf of this user field label and select Configure variable.
  3. Insert HTML into the Help text field (for example: <span style="color: red;">TEST</span>).
  4. Go back to the Something Broken item in the self-service portal.
  5. Open the help text for the Open on behalf of this user field.
    Note that the content does not render as HTML.


This problem is under investigation and will be fixed in a future release.

Since the release versions listed in the fix target of this problem, Help Text and Help Tag will allow html content to be rendered in Shopping Cart, RITM, and SC Task. However, this is guided by the property glide.ui.escape_text. This property renders the html content only when set to false (not recommended), otherwise it treats the html just as plain text. This is how the labels also behave, and is by design to handle XSS vulnerability, so this problem makes Service Catalog Help Text and Help Tag compliant with the platform labels. 

ServiceNow never recommends placing HTML in Help Text and Help Tag, because it can cause XSS vulnerability, so the ownership of such code always lies with the customer.

Related Problem: PRB663858

Seen In

Fuji Patch 10
Fuji Patch 11
Fuji Patch 12 Hot Fix 1
Geneva Patch 3 Hot Fix 2
Geneva Patch 4
Geneva Patch 5
Helsinki Patch 0 Hot Fix 1
Helsinki Patch 1
Helsinki Patch 3 Hot Fix 7
Helsinki Patch 6 Hot Fix 1

Fixed In


Associated Community Threads

There is no data to report.

Article Information

Last Updated:2018-02-19 21:20:23